When you delegate create and mount permissions to an individual user, you must ensure that the user has permissions on the underlying mount point.
For example, to delegate user mark create and mount permissions on the tank file system, set the permissions first:
# chmod A+user:mark:add_subdirectory:fd:allow /tank/home
Then, use the zfs allow command to delegate create, destroy, and mount permissions. For example:
# zfs allow mark create,destroy,mount tank/home
Now, user mark can create his own file systems in the tank/home file system. For example:
# su mark mark$ zfs create tank/home/mark mark$ ^D # su lp $ zfs create tank/home/lp cannot create 'tank/home/lp': permission deniedExample 8-2 Delegating create and destroy Permissions to a Group
The following example shows how to set up a file system so that anyone in the staff group can create and mount file systems in the tank/home file system, as well as destroy their own file systems. However, staff group members cannot destroy anyone else's file systems.
# zfs allow staff create,mount tank/home # zfs allow -c create,destroy tank/home # zfs allow tank/home ---- Permissions on tank/home ---------------------------------------- Create time permissions: create,destroy Local+Descendent permissions: group staff create,mount # su cindy cindy% zfs create tank/home/cindy/files cindy% exit # su mark mark% zfs create tank/home/mark/data mark% exit cindy% zfs destroy tank/home/mark/data cannot destroy 'tank/home/mark/data': permission deniedExample 8-3 Delegating Permissions at the Correct File System Level
Ensure that you delegate users permission at the correct file system level. For example, user mark is delegated create, destroy, and mount permissions for the local and descendent file systems. User mark is delegated local permission to snapshot the tank/home file system, but he is not allowed to snapshot his own file system. So, he has not been delegated the snapshot permission at the correct file system level.
# zfs allow -l mark snapshot tank/home # zfs allow tank/home ---- Permissions on tank/home ---------------------------------------- Create time permissions: create,destroy Local permissions: user mark snapshot Local+Descendent permissions: group staff create,mount # su mark mark$ zfs snapshot tank/home@snap1 mark$ zfs snapshot tank/home/mark@snap1 cannot create snapshot 'tank/home/mark@snap1': permission denied
To delegate user mark permission at the descendent file system level, use the zfs allow –d option. For example:
# zfs unallow -l mark snapshot tank/home # zfs allow -d mark snapshot tank/home # zfs allow tank/home ---- Permissions on tank/home ---------------------------------------- Create time permissions: create,destroy Descendent permissions: user mark snapshot Local+Descendent permissions: group staff create,mount # su mark $ zfs snapshot tank/home@snap2 cannot create snapshot 'tank/home@snap2': permission denied $ zfs snapshot tank/home/mark@snappy
Now, user mark can only create a snapshot below the tank/home file system level.
Example 8-4 Defining and Using Complex Delegated PermissionsYou can delegate specific permissions to users or groups. For example, the following zfs allow command delegates specific permissions to the staff group. In addition, destroy and snapshot permissions are delegated after tank/home file systems are created.
# zfs allow staff create,mount tank/home # zfs allow -c destroy,snapshot tank/home # zfs allow tank/home ---- Permissions on tank/home ---------------------------------------- Create time permissions: create,destroy,snapshot Local+Descendent permissions: group staff create,mount
Because user mark is a member of the staff group, he can create file systems in tank/home. In addition, user mark can create a snapshot of tank/home/mark2 because he has specific permissions to do so. For example:
# su mark $ zfs create tank/home/mark2 $ zfs allow tank/home/mark2 ---- Permissions on tank/home/mark2 ---------------------------------- Local permissions: user mark create,destroy,snapshot ---- Permissions on tank/home ---------------------------------------- Create time permissions: create,destroy,snapshot Local+Descendent permissions: group staff create,mount
But, user mark cannot create a snapshot in tank/home/mark because he doesn't have specific permissions to do so. For example:
$ zfs snapshot tank/home/mark@snap1 cannot create snapshot 'tank/home/mark@snap1': permission denied
In this example, user mark has create permission in his home directory, which means he can create snapshots. This scenario is helpful when your file system is NFS mounted.
$ cd /tank/home/mark2 $ ls $ cd .zfs $ ls shares snapshot $ cd snapshot $ ls -l total 3 drwxr-xr-x 2 mark staff 2 Sep 27 15:55 snap1 $ pwd /tank/home/mark2/.zfs/snapshot $ mkdir snap2 $ zfs list # zfs list -r tank/home NAME USED AVAIL REFER MOUNTPOINT tank/home/mark 63K 62.3G 32K /tank/home/mark tank/home/mark2 49K 62.3G 31K /tank/home/mark2 tank/home/mark2@snap1 18K - 31K - tank/home/mark2@snap2 0 - 31K - $ ls snap1 snap2 $ rmdir snap2 $ ls snap1Example 8-5 Defining and Using a ZFS Delegated Permission Set
The following example shows how to create the permission set @myset and delegates the permission set and the rename permission to the group staff for the tank file system. User cindy, a staff group member, has the permission to create a file system in tank. However, user lp does not have permission to create a file system in tank.
# zfs allow -s @myset create,destroy,mount,snapshot,promote,clone,readonly tank # zfs allow tank ---- Permissions on tank --------------------------------------------- Permission sets: @myset clone,create,destroy,mount,promote,readonly,snapshot # zfs allow staff @myset,rename tank # zfs allow tank ---- Permissions on tank --------------------------------------------- Permission sets: @myset clone,create,destroy,mount,promote,readonly,snapshot Local+Descendent permissions: group staff @myset,rename # chmod A+group:staff:add_subdirectory:fd:allow tank # su cindy cindy% zfs create tank/data cindy% zfs allow tank ---- Permissions on tank --------------------------------------------- Permission sets: @myset clone,create,destroy,mount,promote,readonly,snapshot Local+Descendent permissions: group staff @myset,rename cindy% ls -l /tank total 15 drwxr-xr-x 2 cindy staff 2 Jun 24 10:55 data cindy% exit # su lp $ zfs create tank/lp cannot create 'tank/lp': permission denied